lfk/backend
2
0
Fork 0
Code Issues 1 Pull Requests Actions Projects Releases 40 Activity

feature/40-pw_reset #48

Merged
niggl merged 17 commits from feature/40-pw_reset into dev 2020-12-22 15:29:45 +00:00
Conversation 1 Commits 17 Files Changed 11 +193 -6
11 changed files with 193 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/authchecker.ts
View File

@ -3,7 +3,7 @@ import * as jwt from "jsonwebtoken";
import { Action } from "routing-controllers"; import { Action } from "routing-controllers";
import { getConnectionManager } from 'typeorm'; import { getConnectionManager } from 'typeorm';
import { config } from './config'; import { config } from './config';
import { IllegalJWTError, NoPermissionError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError'; import { IllegalJWTError, NoPermissionError, UserDisabledError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError';
import { JwtCreator, JwtUser } from './jwtcreator'; import { JwtCreator, JwtUser } from './jwtcreator';
import { User } from './models/entities/User'; import { User } from './models/entities/User';
@ -31,6 +31,7 @@ const authchecker = async (action: Action, permissions: string[] | string) => {
const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions'] }) const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions'] })
if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() } if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() }
if (user.enabled == false) { throw new UserDisabledError(); }
if (!jwtPayload["permissions"]) { throw new NoPermissionError(); } if (!jwtPayload["permissions"]) { throw new NoPermissionError(); }
action.response.local = {} action.response.local = {}
@ -63,6 +64,7 @@ const refresh = async (action: Action) => {
const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions', 'groups', 'groups.permissions'] }) const user = await getConnectionManager().get().getRepository(User).findOne({ id: jwtPayload["id"], refreshTokenCount: jwtPayload["refreshTokenCount"] }, { relations: ['permissions', 'groups', 'groups.permissions'] })
if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() } if (!user) { throw new UserNonexistantOrRefreshtokenInvalidError() }
if (user.enabled == false) { throw new UserDisabledError(); }
let newAccess = JwtCreator.createAccess(user); let newAccess = JwtCreator.createAccess(user);
action.response.header("authorization", "Bearer " + newAccess); action.response.header("authorization", "Bearer " + newAccess);

24
src/controllers/AuthController.ts
View File

@ -1,10 +1,12 @@
import { Body, CookieParam, JsonController, Post, Res } from 'routing-controllers'; import { Body, CookieParam, JsonController, Param, Post, Res } from 'routing-controllers';
import { OpenAPI, ResponseSchema } from 'routing-controllers-openapi'; import { OpenAPI, ResponseSchema } from 'routing-controllers-openapi';
import { IllegalJWTError, InvalidCredentialsError, JwtNotProvidedError, PasswordNeededError, RefreshTokenCountInvalidError, UsernameOrEmailNeededError } from '../errors/AuthError'; import { IllegalJWTError, InvalidCredentialsError, JwtNotProvidedError, PasswordNeededError, RefreshTokenCountInvalidError, UsernameOrEmailNeededError } from '../errors/AuthError';
import { UserNotFoundError } from '../errors/UserErrors'; import { UserNotFoundError } from '../errors/UserErrors';
import { CreateAuth } from '../models/actions/CreateAuth'; import { CreateAuth } from '../models/actions/CreateAuth';
import { CreateResetToken } from '../models/actions/CreateResetToken';
import { HandleLogout } from '../models/actions/HandleLogout'; import { HandleLogout } from '../models/actions/HandleLogout';
import { RefreshAuth } from '../models/actions/RefreshAuth'; import { RefreshAuth } from '../models/actions/RefreshAuth';
import { ResetPassword } from '../models/actions/ResetPassword';
import { Auth } from '../models/responses/ResponseAuth'; import { Auth } from '../models/responses/ResponseAuth';
import { Logout } from '../models/responses/ResponseLogout'; import { Logout } from '../models/responses/ResponseLogout';
@ -78,4 +80,24 @@ export class AuthController {
} }
return response.send(auth) return response.send(auth)
} }
@Post("/reset")
@ResponseSchema(Auth)
@ResponseSchema(UserNotFoundError)
@ResponseSchema(UsernameOrEmailNeededError)
@OpenAPI({ description: "Request a password reset token" })
async getResetToken(@Body({ validate: true }) passwordReset: CreateResetToken) {
//This really shouldn't just get returned, but sent via mail or sth like that. But for dev only this is fine.
return { "resetToken": await passwordReset.toResetToken() };
}
@Post("/reset/:token")
@ResponseSchema(Auth)
@ResponseSchema(UserNotFoundError)
@ResponseSchema(UsernameOrEmailNeededError)
@OpenAPI({ description: "Reset a user's password" })
async resetPassword(@Param("token") token: string, @Body({ validate: true }) passwordReset: ResetPassword) {
passwordReset.resetToken = token;
return await passwordReset.resetPassword();
}
} }

2
src/controllers/UserController.ts
View File

@ -62,7 +62,7 @@ export class UserController {
} }
user = await this.userRepository.save(user) user = await this.userRepository.save(user)
return new ResponseUser(await this.userRepository.findOne(user, { relations: ['permissions', 'groups'] })); return new ResponseUser(await this.userRepository.findOne({ id: user.id }, { relations: ['permissions', 'groups'] }));
} }
@Put('/:id') @Put('/:id')

22
src/errors/AuthError.ts
View File

@ -115,4 +115,26 @@ export class RefreshTokenCountInvalidError extends NotAcceptableError {
@IsString() @IsString()
message = "Refresh token count is invalid." message = "Refresh token count is invalid."
}
/**
* Error to throw when someone tryes to reset a user's password more than once in 15 minutes.
*/
export class ResetAlreadyRequestedError extends NotAcceptableError {
@IsString()
name = "ResetAlreadyRequestedError"
@IsString()
message = "You already requested a password reset in the last 15 minutes. \n Please wait until the old reset code expires before requesting a new one."
}
/**
* Error to throw when someone tries a disabled user's password or login as a disabled user.
*/
export class UserDisabledError extends NotAcceptableError {
@IsString()
name = "UserDisabledError"
@IsString()
message = "This user is currently disabled. \n Please contact your administrator if this is a mistake."
} }

14
src/jwtcreator.ts
View File

@ -33,6 +33,20 @@ export class JwtCreator {
exp: expiry_timestamp exp: expiry_timestamp
}, config.jwt_secret) }, config.jwt_secret)
} }
/**
* Creates a new password reset token for a given user.
* The token is valid for 15 minutes or 1 use - whatever comes first.
* @param user User entity that the password reset token shall be created for
*/
public static createReset(user: User) {
let expiry_timestamp = Math.floor(Date.now() / 1000) + 15 * 60;
return jsonwebtoken.sign({
id: user.id,
refreshTokenCount: user.refreshTokenCount,
exp: expiry_timestamp
}, config.jwt_secret)
}
} }
/** /**

3
src/models/actions/CreateAuth.ts
View File

@ -1,7 +1,7 @@
import * as argon2 from "argon2"; import * as argon2 from "argon2";
import { IsEmail, IsNotEmpty, IsOptional, IsString } from 'class-validator'; import { IsEmail, IsNotEmpty, IsOptional, IsString } from 'class-validator';
import { getConnectionManager } from 'typeorm'; import { getConnectionManager } from 'typeorm';
import { InvalidCredentialsError, PasswordNeededError, UserNotFoundError } from '../../errors/AuthError'; import { InvalidCredentialsError, PasswordNeededError, UserDisabledError, UserNotFoundError } from '../../errors/AuthError';
import { UsernameOrEmailNeededError } from '../../errors/UserErrors'; import { UsernameOrEmailNeededError } from '../../errors/UserErrors';
import { JwtCreator } from '../../jwtcreator'; import { JwtCreator } from '../../jwtcreator';
import { User } from '../entities/User'; import { User } from '../entities/User';
@ -55,6 +55,7 @@ export class CreateAuth {
if (!found_user) { if (!found_user) {
throw new UserNotFoundError(); throw new UserNotFoundError();
} }
if (found_user.enabled == false) { throw new UserDisabledError(); }
if (!(await argon2.verify(found_user.password, this.password + found_user.uuid))) { if (!(await argon2.verify(found_user.password, this.password + found_user.uuid))) {
throw new InvalidCredentialsError(); throw new InvalidCredentialsError();
} }

50
src/models/actions/CreateResetToken.ts Normal file
View File

@ -0,0 +1,50 @@
import { IsEmail, IsOptional, IsString } from 'class-validator';
import { getConnectionManager } from 'typeorm';
import { ResetAlreadyRequestedError, UserDisabledError, UserNotFoundError } from '../../errors/AuthError';
import { UsernameOrEmailNeededError } from '../../errors/UserErrors';
import { JwtCreator } from '../../jwtcreator';
import { User } from '../entities/User';
/**
* This calss is used to create password reset tokens for users.
* These password reset token can be used to set a new password for the user for the next 15mins.
*/
export class CreateResetToken {
/**
* The username of the user that wants to reset their password.
*/
@IsOptional()
@IsString()
username?: string;
/**
* The email address of the user that wants to reset their password.
*/
@IsOptional()
@IsEmail()
@IsString()
email?: string;
/**
* Create a password reset token based on this.
*/
public async toResetToken(): Promise<any> {
if (this.email === undefined && this.username === undefined) {
throw new UsernameOrEmailNeededError();
}
let found_user = await getConnectionManager().get().getRepository(User).findOne({ where: [{ username: this.username }, { email: this.email }] });
if (!found_user) { throw new UserNotFoundError(); }
if (found_user.enabled == false) { throw new UserDisabledError(); }
if (found_user.resetRequestedTimestamp > (Math.floor(Date.now() / 1000) - 15 * 60)) { throw new ResetAlreadyRequestedError(); }
found_user.refreshTokenCount = found_user.refreshTokenCount + 1;
found_user.resetRequestedTimestamp = Math.floor(Date.now() / 1000);
await getConnectionManager().get().getRepository(User).save(found_user);
//Create the reset token
let reset_token = JwtCreator.createReset(found_user);
return reset_token;
}
}

11
src/models/actions/CreateUser.ts
View File

@ -1,5 +1,5 @@
import * as argon2 from "argon2"; import * as argon2 from "argon2";
import { IsEmail, IsOptional, IsPhoneNumber, IsString } from 'class-validator'; import { IsBoolean, IsEmail, IsOptional, IsPhoneNumber, IsString } from 'class-validator';
import { getConnectionManager } from 'typeorm'; import { getConnectionManager } from 'typeorm';
import * as uuid from 'uuid'; import * as uuid from 'uuid';
import { config } from '../../config'; import { config } from '../../config';
@ -63,6 +63,14 @@ export class CreateUser {
@IsString() @IsString()
password: string; password: string;
/**
* Will the new user be enabled from the start?
* Default: true
*/
@IsBoolean()
@IsOptional()
enabled?: boolean = true;
/** /**
* The new user's groups' id(s). * The new user's groups' id(s).
* You can provide either one groupId or an array of groupIDs. * You can provide either one groupId or an array of groupIDs.
@ -91,6 +99,7 @@ export class CreateUser {
newUser.phone = this.phone newUser.phone = this.phone
newUser.password = await argon2.hash(this.password + newUser.uuid); newUser.password = await argon2.hash(this.password + newUser.uuid);
newUser.groups = await this.getGroups(); newUser.groups = await this.getGroups();
newUser.enabled = this.enabled;
//TODO: ProfilePics //TODO: ProfilePics
return newUser; return newUser;

3
src/models/actions/RefreshAuth.ts
View File

@ -2,7 +2,7 @@ import { IsOptional, IsString } from 'class-validator';
import * as jsonwebtoken from 'jsonwebtoken'; import * as jsonwebtoken from 'jsonwebtoken';
import { getConnectionManager } from 'typeorm'; import { getConnectionManager } from 'typeorm';
import { config } from '../../config'; import { config } from '../../config';
import { IllegalJWTError, JwtNotProvidedError, RefreshTokenCountInvalidError, UserNotFoundError } from '../../errors/AuthError'; import { IllegalJWTError, JwtNotProvidedError, RefreshTokenCountInvalidError, UserDisabledError, UserNotFoundError } from '../../errors/AuthError';
import { JwtCreator } from "../../jwtcreator"; import { JwtCreator } from "../../jwtcreator";
import { User } from '../entities/User'; import { User } from '../entities/User';
import { Auth } from '../responses/ResponseAuth'; import { Auth } from '../responses/ResponseAuth';
@ -39,6 +39,7 @@ export class RefreshAuth {
if (!found_user) { if (!found_user) {
throw new UserNotFoundError() throw new UserNotFoundError()
} }
if (found_user.enabled == false) { throw new UserDisabledError(); }
if (found_user.refreshTokenCount !== decoded["refreshTokenCount"]) { if (found_user.refreshTokenCount !== decoded["refreshTokenCount"]) {
throw new RefreshTokenCountInvalidError() throw new RefreshTokenCountInvalidError()
} }

57
src/models/actions/ResetPassword.ts Normal file
View File

@ -0,0 +1,57 @@
import * as argon2 from "argon2";
import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
import * as jsonwebtoken from 'jsonwebtoken';
import { getConnectionManager } from 'typeorm';
import { config } from '../../config';
import { IllegalJWTError, JwtNotProvidedError, PasswordNeededError, RefreshTokenCountInvalidError, UserNotFoundError } from '../../errors/AuthError';
import { User } from '../entities/User';
/**
* This class can be used to reset a user's password.
* To set a new password the user needs to provide a valid password reset token.
*/
export class ResetPassword {
/**
* The reset token on which the password reset will be based.
*/
@IsOptional()
@IsString()
resetToken?: string;
/**
* The user's new password
*/
@IsNotEmpty()
@IsString()
password: string;
/**
* Create a password reset token based on this.
*/
public async resetPassword(): Promise<any> {
if (!this.resetToken || this.resetToken === undefined) {
throw new JwtNotProvidedError()
}
if (!this.password || this.password === undefined) {
throw new PasswordNeededError()
}
let decoded;
try {
decoded = jsonwebtoken.verify(this.resetToken, config.jwt_secret)
} catch (error) {
throw new IllegalJWTError()
}
const found_user = await getConnectionManager().get().getRepository(User).findOne({ id: decoded["id"] });
if (!found_user) { throw new UserNotFoundError(); }
if (found_user.refreshTokenCount !== decoded["refreshTokenCount"]) { throw new RefreshTokenCountInvalidError(); }
found_user.refreshTokenCount = found_user.refreshTokenCount + 1;
found_user.password = await argon2.hash(this.password + found_user.uuid);
await getConnectionManager().get().getRepository(User).save(found_user);
return "password reset successfull";
}
}

9
src/models/entities/User.ts
View File

@ -111,6 +111,15 @@ export class User extends Principal {
@IsOptional() @IsOptional()
profilePic?: string; profilePic?: string;
/**
* The last time the user requested a password reset.
* Used to prevent spamming of the password reset route.
*/
@Column({ nullable: true, unique: true })
@IsString()
@IsOptional()
resetRequestedTimestamp?: number;
/** /**
* The actions performed by this user. * The actions performed by this user.
* For documentation purposes only, will be implemented later. * For documentation purposes only, will be implemented later.